E-MailRelay
|
An interface for implementing the server-side SASL challenge/response concept. More...
#include <gsaslserver.h>
Public Member Functions | |
virtual | ~SaslServer ()=default |
Destructor. | |
virtual G::StringArray | mechanisms (bool secure) const =0 |
Returns a list of supported, standard mechanisms that can be advertised to the client. More... | |
virtual void | reset ()=0 |
Clears the internal state as if just constructed. More... | |
virtual bool | init (bool secure, const std::string &mechanism)=0 |
Initialiser for the given mechanism. More... | |
virtual std::string | mechanism () const =0 |
Returns the current mechanism, as selected by the last successful init(). | |
virtual std::string | preferredMechanism (bool secure) const =0 |
Returns a preferred mechanism if authentication with the current mechanism has failed. More... | |
virtual bool | mustChallenge () const =0 |
Returns true if authentication using the current mechanism must always start with a non-empty server challenge, ie. More... | |
virtual std::string | initialChallenge () const =0 |
Returns the possibly-empty initial server challenge. | |
virtual std::string | apply (const std::string &response, bool &done)=0 |
Applies the client response and returns the next challenge and a 'done' flag by reference. More... | |
virtual bool | authenticated () const =0 |
Returns true if authenticated sucessfully. More... | |
virtual std::string | id () const =0 |
Returns the authenticated or trusted identity. More... | |
virtual bool | trusted (const G::StringArray &address_wildcards, const std::string &address_display) const =0 |
Returns true if a trusted client that does not need to authenticate. More... | |
An interface for implementing the server-side SASL challenge/response concept.
In practice there is one derived class for basic authentication mechanisms using a secrets file, and another for PAM.
Usage:
Available mechanisms depend on the encryption state ('secure'). In practice there can often be no mechanisms when in the insecure state. If there are no mechanisms then the protocol might advertise a mechanism that always fails to authenticate, returning a 'secure connection required' error to the client – but that behaviour is out of scope at this interface.
Definition at line 75 of file gsaslserver.h.
|
pure virtual |
Applies the client response and returns the next challenge and a 'done' flag by reference.
Note that some mechanisms generate an extra round-trip even after the authentication status has been settled. In this case the 'done' flag will be set true only when the final empty response from the client is apply()d.
|
pure virtual |
Returns true if authenticated sucessfully.
Precondition: apply() 'done'
|
pure virtual |
Returns the authenticated or trusted identity.
Returns the empty string if not authenticated and not trusted.
|
pure virtual |
Initialiser for the given mechanism.
Returns true iff the requested mechanism is in the mechanisms() list. May be used more than once. The initialChallenge() is re-initialised on each successful init().
|
pure virtual |
Returns a list of supported, standard mechanisms that can be advertised to the client.
The parameter indicates whether the transport connection is currently encrypted.
Returns the empty set if authentication is not possible for the given encryption state.
|
pure virtual |
Returns true if authentication using the current mechanism must always start with a non-empty server challenge, ie.
it is a "server-first" mechanism as per RFC-4422.
Returns false for the "LOGIN" mechanism since the initial challenge ("Username:") is not essential, ie. it is a RFC-4422 "variable" mechanism.
The server should call initialChallenge() to decide whether to send an initial challenge; this method is only to stop a client providing an initial response before an initial challenge has been sent.
|
pure virtual |
Returns a preferred mechanism if authentication with the current mechanism has failed.
Returns the empty string if there is no preference. This allows the negotiation of the mechanism to be user-specific, perhaps by having the first mechanism a probe mechanism that fails for all users.
|
pure virtual |
Clears the internal state as if just constructed.
Postcondition: mechanism().empty() && id().empty() && !authenticated() && !trusted()
|
pure virtual |
Returns true if a trusted client that does not need to authenticate.
Pass Address::wildcards() and Address::hostPartString().